Log Files

Listed below are the log files generated by Bro, including a brief description of the log file and links to descriptions of the fields for each log type.

Network Protocols

Log File	Description	Field Descriptions
conn.log	TCP/UDP/ICMP connections	Conn::Info
dce_rpc.log	Distributed Computing Environment/RPC	DCE_RPC::Info
dhcp.log	DHCP leases	DHCP::Info
dnp3.log	DNP3 requests and replies	DNP3::Info
dns.log	DNS activity	DNS::Info
ftp.log	FTP activity	FTP::Info
http.log	HTTP requests and replies	HTTP::Info
irc.log	IRC commands and responses	IRC::Info
kerberos.log	Kerberos	KRB::Info
modbus.log	Modbus commands and responses	Modbus::Info
modbus_register_change.log	Tracks changes to Modbus holding registers	Modbus::MemmapInfo
mysql.log	MySQL	MySQL::Info
ntlm.log	NT LAN Manager (NTLM)	NTLM::Info
radius.log	RADIUS authentication attempts	RADIUS::Info
rdp.log	RDP	RDP::Info
rfb.log	Remote Framebuffer (RFB)	RFB::Info
sip.log	SIP	SIP::Info
smb_cmd.log	SMB commands	SMB::CmdInfo
smb_files.log	SMB files	SMB::FileInfo
smb_mapping.log	SMB trees	SMB::TreeInfo
smtp.log	SMTP transactions	SMTP::Info
snmp.log	SNMP messages	SNMP::Info
socks.log	SOCKS proxy requests	SOCKS::Info
ssh.log	SSH connections	SSH::Info
ssl.log	SSL/TLS handshake info	SSL::Info
syslog.log	Syslog messages	Syslog::Info
tunnel.log	Tunneling protocol events	Tunnel::Info

Files

Log File	Description	Field Descriptions
files.log	File analysis results	Files::Info
ocsp.log	Online Certificate Status Protocol (OCSP). Only created if policy script is loaded.	OCSP::Info
pe.log	Portable Executable (PE)	PE::Info
x509.log	X.509 certificate info	X509::Info

NetControl

Log File	Description	Field Descriptions
netcontrol.log	NetControl actions	NetControl::Info
netcontrol_drop.log	NetControl actions	NetControl::DropInfo
netcontrol_shunt.log	NetControl shunt actions	NetControl::ShuntInfo
netcontrol_catch_release.log	NetControl catch and release actions	NetControl::CatchReleaseInfo
openflow.log	OpenFlow debug log	OpenFlow::Info

Detection

Log File	Description	Field Descriptions
intel.log	Intelligence data matches	Intel::Info
notice.log	Bro notices	Notice::Info
notice_alarm.log	The alarm stream	Notice::Info
signatures.log	Signature matches	Signatures::Info
traceroute.log	Traceroute detection	Traceroute::Info

Network Observations

Log File	Description	Field Descriptions
known_certs.log	SSL certificates	Known::CertsInfo
known_hosts.log	Hosts that have completed TCP handshakes	Known::HostsInfo
known_modbus.log	Modbus masters and slaves	Known::ModbusInfo
known_services.log	Services running on hosts	Known::ServicesInfo
software.log	Software being used on the network	Software::Info

Miscellaneous

Log File	Description	Field Descriptions
barnyard2.log	Alerts received from Barnyard2	Barnyard2::Info
dpd.log	Dynamic protocol detection failures	DPD::Info
unified2.log	Interprets Snort’s unified output	Unified2::Info
weird.log	Unexpected network-level activity	Weird::Info
weird_stats.log	Statistics about unexpected activity	WeirdStats::Info

Bro Diagnostics

Log File	Description	Field Descriptions
broker.log	Peering status events between Bro or Broker-enabled processes	Broker::Info
capture_loss.log	Packet loss rate	CaptureLoss::Info
cluster.log	Bro cluster messages	Cluster::Info
config.log	Configuration option changes	Config::Info
loaded_scripts.log	Shows all scripts loaded by Bro	LoadedScripts::Info
packet_filter.log	List packet filters that were applied	PacketFilter::Info
prof.log	Profiling statistics (to create this log, load policy/misc/profiling.bro)	N/A
reporter.log	Internal error/warning/info messages	Reporter::Info
stats.log	Memory/event/packet/lag statistics	Stats::Info
stderr.log	Captures standard error when Bro is started from BroControl	N/A
stdout.log	Captures standard output when Bro is started from BroControl	N/A